Penetration Tester
1mo ago
EuropeSeniorowaspmitre att&ckexploit developmentprivilege escalationlateral movement
Seeking an experienced Penetration Tester to identify vulnerabilities across AI pipelines and software platforms.
Requirements
- Please submit your application in English. It’s our company language, so you’ll be speaking lots of it if you join.
- We treat all candidates equally - if you’re interested, please apply through our careers portal.
Other
- TL;DR: We're looking for a world-class Penetration Tester with a name in the field. You'll push Lovable's platform to its limits, hunt vulnerabilities across our AI pipelines and user-generated code, and make sure attackers never get there before you do.
- Lovable lets anyone and everyone build software with any language. From solopreneurs to Fortune 100 teams, millions of people use Lovable to transform raw ideas into real products - fast. We are at the forefront of a foundational shift in software creation, which means you have an unprecedented opportunity to change the way the digital world works. Over 2 million people in 200+ countries already use Lovable to launch businesses, automate work, and bring their ideas to life. And we’re just getting started.
- We’re a small, talent-dense team building a generation-defining company from Stockholm. We value extreme ownership, high velocity, and low-ego collaboration. We seek out people who care deeply, ship fast, and are eager to make a dent in the world.
- 12+ years of hands-on penetration testing experience across web, mobile, APIs, and cloud infrastructure.
- A track record the field knows about: CVEs to your name, hall-of-fame credits in major bug bounty programs, or a reputation that precedes you.
- Deep expertise in offensive security techniques: OWASP, MITRE ATT&CK, exploit development, privilege escalation, and lateral movement.
- Hands-on experience using AI as part of your hacking workflow — not just testing AI systems, but actively leveraging it as an offensive tool.
- Experience attacking AI-native products or LLM-integrated systems, including prompt injection, model abuse, and data exfiltration vectors.
- Strong understanding of cloud environments (GCP, AWS, Cloudflare) and the attack surfaces they introduce.
- Ability to translate complex findings into clear, prioritised reports that engineering teams can act on immediately.
- Low ego, high output. You collaborate as naturally as you compete against systems.
- Bonus: experience with red team operations, supply chain attacks, or mobile security (iOS/Android). Familiarity with SAST/DAST tooling.
- Own offensive security end-to-end: plan and execute penetration tests across Lovable's web platform, mobile surface, APIs, cloud infrastructure, and AI pipelines.
- Break our AI before others do: probe LLM integrations for prompt injection, jailbreaks, data leakage, and novel attack vectors unique to AI-generated code running in live products.
- Stress-test user-generated code at scale: identify systemic vulnerabilities introduced when millions of users create and deploy real applications on Lovable.
- Turn findings into action: work directly with engineering to prioritise, remediate, and verify fixes, closing the loop between discovery and resolution.
- Raise the security bar org-wide: run internal red team exercises, contribute to threat modelling, and embed an attacker's mindset across the engineering culture.
- Help make Lovable the most secure AI product in the market.
- Frontend: React and TypeScript
- Backend: Golang and Rust
- Cloud: Cloudflare, GCP, AWS, Modal, multiple LLM providers
- DevOps & Tooling: GitHub Actions, Grafana, OTEL, infra-as-code (Terraform)
- Data: Clickhouse, Firestore, Spanner, BigQuery
- And we're always exploring what's next!